Dutch police have revealed that they were able to spy on the communications of more than 100 suspected criminals, watching live as over a quarter of a million chat messages were exchanged.

The encrypted messages were sent using IronChat, a supposedly secure encrypted messaging service available on BlackBox IronPhones.

The website of Blackbox Security used to prominently boast a quote from a certain Edward Snowden:

“I use PGP to say hi and hello but use IronChat(OTR) to have a serious conversation”

You won’t see that quote on Blackbox Security’s website today, though, as its server has been seized by Dutch law enforcement.

Criminals were amongst those who purchased the IronPhones, and used the IronChat app to communicate openly about their activities, believing that they were safe as they paid up US $1500 for a six month subscription to the service. What they did not realise was that the app had been compromised by police.

Police haven’t described how they made the breakthrough of managing to crack the IronChat system, and snoop upon encrypted messages, but the suspicion will be that the encrypted chat app had a weakness – such as its reliance on a central server.

In a statement, police in the Netherlands explained that as a result of their surveillance, law enforcement agencies have seized automatic weapons, large quantities of hard drugs (MDMA and cocaine), 90,000 Euros in cash, and dismantled a drugs lab.

In addition, a number of suspects are also said to have already been arrested, with multiple searches taking place in various locations around the country.

“This operation has given us a unique insight into the criminal world in which people communicated openly about crimes,” said Aart Garssen, Head of the Regional Crime investigation Unit in the east of the Netherlands.

Police only decided to shut down the service after they became aware that criminals were beginning to suspect each other of leaking information to the police, introducing a very real risk that there could be a threat to individuals’ safety. For this same reason, Dutch authorities decided to go public about their access to the chat system at a press conference.

The owner of Blackbox Security, a 46-year-old man from Lingewaard, and his partner, a 52-year-old man from Boxtel, have been arrested on suspicion of money laundering and participation in a criminal organisation. Their homes and company premises have also been searched.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

1. Never implement your own crypto systems. Always use NIST approved algorithms or ciphers
2. Regardless of how secure the cipher," poor implementation" will leak information and compromise the system(s) or data being protected